b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       The IRS2GO Smartphone Application\n                       Is Secure, but Development Process\n                            Improvements Are Needed\n\n\n\n                                         August 29, 2011\n\n                              Reference Number: 2011-20-076\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nTHE IRS2GO SMARTPHONE                                 software in the development of the IRS2GO\nAPPLICATION IS SECURE, BUT                            application. Management was aware of the\nDEVELOPMENT PROCESS                                   requirement to request waivers, but advised it\nIMPROVEMENTS ARE NEEDED                               made a risk-based decision not to pursue\n                                                      waivers in consideration of time constraints for\n                                                      the project. However, the IRS could not provide\nHighlights                                            any documentation of the risk-based decision\n                                                      and informed us that it was a verbal decision.\nFinal Report issued on August 29, 2011                TIGTA also found that documents required to\n                                                      authorize releasing the IRS2GO application to\nHighlights of Reference Number: 2011-20-076           the public were not obtained until after the\nto the Internal Revenue Service Chief                 application was released. While the IRS2GO\nTechnology Officer.                                   application did not have any significant security\n                                                      issues when it was released to the public, using\nIMPACT ON TAXPAYERS                                   a system development approach that does not\nThe Internal Revenue Service (IRS) developed          comply with Office of Management and Budget\nthe IRS2GO mobile application for the Apple           Circular A-130 regulations increases the risk that\niPhone\xc2\xae and the Google Android\xc2\xae smartphones.          applications released to the public may contain\nThe application was successfully released to the      security or privacy weaknesses.\npublic on January 20, 2011, and 147,205 iPhone        WHAT TIGTA RECOMMENDED\nusers and 178,773 Android users had signed up\nas of May 15, 2011, and March 1, 2011,                TIGTA recommended that the Associate Chief\nrespectively. Although the IRS2GO application         Information Officer, Enterprise Services, should\nis secure, enhancements in the development            ensure that waivers are obtained prior to\nprocess could be made for future mobile               deployment when applicable, risk-based\napplications to ensure taxpayer privacy and           decisions are clearly documented, and updates\nsecurity.                                             to the Plan of Action and Milestones are\n                                                      addressed within the appropriate time period. In\nWHY TIGTA DID THE AUDIT                               addition, the Associate Chief Information Officer,\nThis audit was initiated because the IRS2GO           Enterprise Services, should coordinate the\napplication was the first mobile application          review of open source technologies for\ndeveloped by the IRS, and it allows the user to       consideration of approval for use in future\ncheck on the status of his or her tax refund and      application development efforts and ensure that\nreceive tax tips. Our overall objective was to        all system development activities follow an\ndetermine whether the IRS adequately tested           approach that is compliant with Office of\nand secured the IRS2GO smartphone                     Management and Budget Circular A-130.\napplication.                                          The IRS agreed with all of TIGTA\xe2\x80\x99s\nWHAT TIGTA FOUND                                      recommendations. In developing future mobile\n                                                      applications, the IRS plans to obtain the\nThe IRS2GO application adequately secures             appropriate waivers prior to deployment,\ndata communications and does not store                generate appropriate documentation for any\nsensitive or Personally Identifiable Information      risk-based decision, timely address appropriate\non the smartphone. The IRS2GO application is          actions, and continue to review proprietary and\navailable only from the Apple App Store or the        open source technologies. The IRS also plans\nAndroid Market. Smartphone users should               to adhere to the current limited-use approval\nensure they are downloading this application          process and the Office of Management and\nfrom one of these two sites.                          Budget Circular A-130 for future pilot innovative\n                                                      projects.\nTIGTA found that appropriate processes were\nnot followed for using a nonapproved\nprogramming language and open source\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 29, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The IRS2GO Smartphone Application Is Secure,\n                             but Development Process Improvements Are Needed\n                             (Audit # 201120023)\n\n This report presents the results of our review of the IRS2GO smartphone application. The\n overall objective of this review was to determine whether the Internal Revenue Service (IRS)\n adequately tested and secured the IRS2GO smartphone application that allows taxpayers to\n check the status of their refunds. This audit was initiated because the IRS2GO application was\n the first mobile application developed by the IRS. This review addresses the major management\n challenge of Modernization of the IRS.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                                The IRS2GO Smartphone Application Is Secure, but\n                                 Development Process Improvements Are Needed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The IRS2GO Application Adequately Protects Data\n          Transmissions and Personally Identifiable Information ............................... Page 3\n          Apple iPhone\xc2\xae Programming Tools Were Not Approved ............................ Page 3\n                    Recommendations 1 and 2: ................................................ Page 5\n\n          The IRS2GO Application Was Made Available to the\n          Public Prior to Receiving Authorization for Release .................................... Page 5\n                    Recommendation 3:.......................................................... Page 6\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 9\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\n          Appendix IV \xe2\x80\x93 Glossary of Terms ................................................................ Page 11\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 14\n\x0c      The IRS2GO Smartphone Application Is Secure, but\n       Development Process Improvements Are Needed\n\n\n\n\n               Abbreviations\n\nELC      Enterprise Life Cycle\nIRM      Internal Revenue Manual\nIRS      Internal Revenue Service\n\x0c                           The IRS2GO Smartphone Application Is Secure, but\n                            Development Process Improvements Are Needed\n\n\n\n\n                                           Background\n\nMobile phones have undergone several major developmental shifts since they first became\navailable to the public. The first mobile phones were heavy and expensive to operate. True\nhandheld cellular mobile phone technology became available in the United States early in the\n1980\xe2\x80\x99s and provided access to voice communications only. Later versions added the capability\nof text messaging.\nIn the 2000\xe2\x80\x99s, mobile phones became increasingly similar to small computers, with their own\noperating systems. These phones not only provided voice and text communications, but also\nallowed users access to the Internet via built-in web browsers and had the capability of running\nsmall applications provided by the mobile phone manufacturer.\nCurrently, even more advanced mobile phones (hereafter called smartphones) like the\nApple iPhone\xc2\xae and the Google Android\xc2\xae not only provide their users with voice, text, and\nweb browsing capability, but also provide access to third-party applications with expanded\ncapabilities such as access to Global Positioning Satellite data, driving directions, road hazards,\nand remote control of home appliances like web cameras and digital recorders for satellite and\ncable television systems.\nThe Internal Revenue Service (IRS) recognized the fact that today\xe2\x80\x99s smartphone users were not\nbeing fully served via the current IRS web site and traditional phone assistance to access IRS\nresources. Therefore, the IRS developed a smartphone application that would provide tax tips to\nthe smartphone user and allow the user to check on the status of his or her tax refund.\nThe IRS named its application IRS2GO, and it was launched on January 20, 2011, for the\nApple iPhone and the Google Android smartphones. Apple iPhone users can download the\napplication from the Apple App Store, while Android users can download it from the Android\nMarket. The IRS2GO application had signed up 147,205 iPhone users and 178,773 Android\nusers as of May 15, 2011, and March 1, 2011, respectively.1\nThis review was performed at the Modernization and Information Technology Services\norganization\xe2\x80\x99s Cybersecurity and Enterprise Services offices in New Carrollton, Maryland,\nduring the period February through June 2011. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\n\n1\n  The number of users signed up for a smartphone app changes as additional users download the app or users remove\nthe app from their smartphone.\n                                                                                                         Page 1\n\x0c                       The IRS2GO Smartphone Application Is Secure, but\n                        Development Process Improvements Are Needed\n\n\n\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                          Page 2\n\x0c                              The IRS2GO Smartphone Application Is Secure, but\n                               Development Process Improvements Are Needed\n\n\n\n\n                                        Results of Review\n\nThe IRS2GO Application Adequately Protects Data Transmissions and\nPersonally Identifiable Information\nThe Internal Revenue Manual (IRM) requires that applications using the Internet for the\ntransmission of sensitive information shall use virtual private networks,2 application-level\nencryption, or another approved means to protect data. The transmission of nonpublic IRS\ninformation, such as a Social Security Number, from a department server over the Internet shall\nbe protected using a secure protocol that provides Federal Information Processing Standards\nPublication 140-2 or later compliant cryptography to prevent unauthorized disclosure and\nrecognize unauthorized changes during transmission. In addition, as a requirement for all\nsystems used to enter, process, store, display, or transmit sensitive information, the IRS shall use\nonly cryptographic modules that have been validated in accordance with Federal Information\nProcessing Standards 140-2 or later.\nWhen the taxpayer requests the status of his or her refund, the IRS2GO application requires the\nuser to provide the Social Security Number of the account to be checked, the Filing Status shown\non the return in question, and the amount of the refund that the taxpayer expected to get back on\nthe return. We determined through our discussions and review of security testing documentation\nthat the IRS2GO application is encrypting all communications between the smartphone and the\nIRS web servers that are processing the request for the status of the taxpayer\xe2\x80\x99s refund. In\naddition, the application does not store sensitive or Personally Identifiable Information on the\nsmartphone, and the application disables the copy and paste functions so the information cannot\nbe accessed or copied.\nWhile the IRS2GO application is adequately securing taxpayer data, taxpayers should be careful\nnot to save their sensitive information in a nonsecure manner elsewhere on their smartphones.\nThe IRS application is available only from the Apple App Store or the Android Market.\nTherefore, taxpayers who desire to use the IRS application should ensure they are downloading\nthe IRS2GO application from one of those two sites. Although the application is secure, we\nidentified several issues related to the development process.\n\nApple iPhone Programming Tools Were Not Approved\nThe IRS developed Programming and Source Code Standards that establish standards and\nguidelines to promote the development of maintainable, portable, and reliable software\n\n2\n    See Appendix IV for a glossary of terms.\n                                                                                             Page 3\n\x0c                        The IRS2GO Smartphone Application Is Secure, but\n                         Development Process Improvements Are Needed\n\n\n\napplications in all IRS used/approved languages. A list of authorized open source languages and\nlibraries is available to developers, and a waiver process has been developed for those situations\nwhere products not on the list need to be used.\nThe IRS also established guidelines to coordinate the assessment, development, maintenance,\nand improvement of development controls. To manage deviations from these controls, a waiver\nmust be obtained. These guidelines also require that:\n   \xe2\x80\xa2   A record of all exceptions and deviations shall be maintained. \xc2\xa0\n   \xe2\x80\xa2   There shall be no waivers or deviations from the controls established under the IRM\n       without approval from the Software Quality Committee. \xc2\xa0\n   \xe2\x80\xa2   All new weaknesses are entered into appropriate Plan of Action and Milestones within\n       1 month of identification for program-level weaknesses and those for Federal Information\n       Processing Standards Publication 199 HIGH systems, and 2 months for weaknesses for\n       other systems. \xc2\xa0\nOn February 28, 2011, the IRS issued interim IRM guidelines implementing a new risk-based\ndecision process. According to the new risk-based decision policy, the IRS shall allow\nexceptions to its own information technology security policies based on suitable justification and\na thorough assessment of evident and potential risks when a security weakness is discovered.\nThere are only two acceptable reasons for a risk-based decision: the IRM requirement is\ntechnically or operationally not possible, or it is not cost-effective. Risk-based decisions shall be\ntracked in a Plan of Action and Milestones as part of a system\xe2\x80\x99s security authorization.\nThe IRS2GO iPhone application uses the Objective C programming language that is similar to\nthe approved C++ and C languages. It also has many differences and is defined as a separate\nprogramming language. Additionally, the iPhone IRS2GO application uses an open source\nlibrary that has not been authorized for application development.\nThe IRS2GO application underwent a security code review conducted by an outside contractor\nand a report of the results was issued on December 23, 2010. Although there were no security\nvulnerabilities identified, the report discusses the fact that Objective C and an open source\nlibrary were in use for the iPhone IRS2GO application. The contractor also noted that a waiver\nwould be required for the open source library prior to the release of the application to the\nApple App Store. A Security Risk Assessment by the IRS Cybersecurity organization released\nin October 2010 included a comment that nonapproved technologies were being used for the\nApple iPhone code and recommended that waivers be requested.\nManagement was aware of the requirement to request waivers for the application more than\n2 months prior to the release of the application to the public, and despite the recommendations of\nboth the contractor that performed the code review and the IRS Cybersecurity organization staff,\nthe Enterprise Services organization did not request waivers for the use of these nonapproved\ntechnologies. Management advised the Treasury Inspector General for Tax Administration that\n                                                                                              Page 4\n\x0c                        The IRS2GO Smartphone Application Is Secure, but\n                         Development Process Improvements Are Needed\n\n\n\nthey made a risk-based decision not to pursue waivers in consideration of time constraints for the\nproject; however, the IRS could not provide any documentation of the risk-based decision and\ninformed us that it was a verbal decision. In March 2011, the IRS added the need to obtain\nwaivers for the use of nonapproved open source technologies to the Plan of Action and\nMilestones.\nWhile no significant security problems were identified, development of future smartphone\napplications should follow approved processes to avoid introducing unnecessary risk into the\ndevelopment process, which essentially could result in the development of vulnerable software.\n\nRecommendations\nRecommendation 1: The Associate Chief Information Officer, Enterprise Services, should\nensure that waivers are obtained prior to deployment, when applicable; risk-based decisions are\nclearly documented at the time the decisions are made; and updates to the Plan of Action and\nMilestones are addressed within the appropriate time period.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Enterprise\n       Services will ensure that waivers are obtained prior to deployment of new mobile\n       application, when applicable. In addition, the IRS will ensure proper documentation is\n       generated for any risk-based decision based on IRS guidelines and appropriate actions are\n       addressed timely.\nRecommendation 2: The Associate Chief Information Officer, Enterprise Services, should\ncoordinate with the Enterprise Architecture organization and the Quality Software Committee to\nreview open source technologies for consideration of approval for use in future application\ndevelopment efforts.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. In\n       accordance with current practices, Enterprise Services will ensure that future pilot\n       innovative projects, such as IRS2GO, adhere to the established limited-use approval\n       process. The Enterprise Architecture organization, the Quality Software Council, and\n       other governing bodies will also continue to review proprietary and open source\n       technologies to determine suitability for adoption into the IRS environment for future and\n       current use.\n\nThe IRS2GO Application Was Made Available to the Public Prior to\nReceiving Authorization for Release\nSecurity accreditation is the official management decision given by a senior agency official to\nauthorize operation of an information system and to explicitly accept the risk to agency\noperations, agency assets, or individual based on the implementation of an agreed upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\n                                                                                           Page 5\n\x0c                        The IRS2GO Smartphone Application Is Secure, but\n                         Development Process Improvements Are Needed\n\n\n\nfor the security of the system and is fully accountable for any adverse impacts to the agency if a\nbreach of security occurs. The Office of Management and Budget Circular A-130, Management\nof Federal Information Resources, made a single person responsible for operational security or\nthe authority to operate.\n\nThe IRS has a sophisticated Enterprise Life Cycle (ELC) development process that it uses for\nlarge application development projects. The ELC process is not suited for small application\ndevelopment projects like the IRS2GO application that take only a couple of months to go from\nplanning to implementation. The IRS ELC Project Management office is working within the\napplications development offices to develop more streamlined lifecycle processes for smaller,\nfaster paced developments. For this reason, the IRS piloted an agile project management\napproach to develop the IRS2GO mobile application. However, documents required to authorize\nreleasing the IRS2GO application to the public were not obtained until after the application was\nreleased because the IRS followed a pilot development process instead of an approved formal\nELC process.\n   \xe2\x80\xa2   On January 20, 2011, version 1.0 of the IRS2GO application was made available to the\n       public.\n   \xe2\x80\xa2   On January 21, 2011, a minor change to the IRS2GO application resulted in version 1.01\n       being released.\n   \xe2\x80\xa2   On January 25, 2011, the IRS Authorizing Official and the IRS2GO Information System\n       Owner both gave their approval for the IRS2GO application to go live.\n   \xe2\x80\xa2   On February 23, 2011, the approval to forgo the Privacy Impact Assessment requirement\n       was signed.\nWhile the IRS2GO application did not have any significant security issues when it was released\nto the public, using a system development approach that does not comply with Office of\nManagement and Budget Circular A-130 regulations increases the risk that applications released\nto the public may contain security or privacy weaknesses.\n\nRecommendation\nRecommendation 3: The Associate Chief Information Officer, Enterprise Services, should\nensure that all system development activities follow an approach that is compliant with Office of\nManagement and Budget Circular A-130.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. In\n       accordance with current practices, Enterprise Services will ensure that all future system\n       development activities using an agile or (rapid) project management approach are\n       compliant with or effectively address the intent of the Office of Management and Budget\n       Circular A-130.\n\n                                                                                            Page 6\n\x0c                              The IRS2GO Smartphone Application Is Secure, but\n                               Development Process Improvements Are Needed\n\n\n\n                                                                                        Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether the IRS adequately tested and secured the\nIRS2GO smartphone application that allows taxpayers to check the status of their refunds. To\naccomplish our objective, we:\nI.         Determined whether the IRS has developed adequate policies and procedures pertaining\n           to developing and securing smartphone applications.\n           A. Researched the IRS, Department of the Treasury, and National Institute of Standards\n              and Technology guidelines for application development procedures to ascertain\n              whether small applications like the IRS2GO application are covered.\n           B. Interviewed the application developers and reviewed documentation to verify that the\n              appropriate procedures and guidelines have been followed.\n           C. Researched the responsibility that the IRS has toward protecting taxpayers from\n              third-party applications that access IRS web services.\nII.        Determined whether the IRS2GO application adequately protects taxpayer Personally\n           Identifiable Information.1\n           A. Verified through documentation review and discussions whether data transmissions\n              are securely encrypted between the smartphone and the IRS web servers.\n           B. Verified through documentation review and discussions whether taxpayer information\n              is not being stored on the smartphone unless there is a significant need to maintain\n              that data and it is securely encrypted.\nIII.       Determined whether the IRS thoroughly tested the IRS2GO application code before\n           releasing it to the public.\n           A. Reviewed the results of any code reviews performed by the application developers to\n              ensure that coding issues were corrected or mitigated fully.\n           B. Reviewed the results of any security testing performed by the Cybersecurity\n              organization to ensure that all security issues were resolved or mitigated fully.\n\n\n\n\n1\n    See Appendix IV for a glossary of terms.\n                                                                                                  Page 7\n\x0c                       The IRS2GO Smartphone Application Is Secure, but\n                        Development Process Improvements Are Needed\n\n\n\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the Enterprise Services organization\xe2\x80\x99s\npolicies and procedures for developing small applications and performing security testing. We\nevaluated the controls by interviewing management and reviewing policies and procedures and\nrelevant supporting documentation.\n\n\n\n\n                                                                                         Page 8\n\x0c                      The IRS2GO Smartphone Application Is Secure, but\n                       Development Process Improvements Are Needed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nLarry Reimer, Information Technology Audit Manager\nCari Fogle, Lead Auditor\nMark Carder, Senior Auditor\nDaniel Oakley, Information Technology Specialist\n\n\n\n\n                                                                                      Page 9\n\x0c                     The IRS2GO Smartphone Application Is Secure, but\n                      Development Process Improvements Are Needed\n\n\n\n                                                                          Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nDirector, Privacy, Information Protection, and Data Security OS:P\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nDirector, Customer Service OS:CTO:AD:CS\nDirector, Web Services OS:CTO:ES:WS\nDirector, Security Risk Management OS:CTO:C:SRM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                Page 10\n\x0c                        The IRS2GO Smartphone Application Is Secure, but\n                         Development Process Improvements Are Needed\n\n\n\n                                                                                Appendix IV\n\n                               Glossary of Terms\n\n            Term                                           Definition\nAgile Project Management        An iterative method of determining requirements for software\n                                and for delivering projects in a highly flexible and interactive\n                                manner, where deliverables are submitted in stages. One\n                                difference between agile and iterative development is that the\n                                delivery time in agile is in weeks rather than months.\nApplication-Level Encryption    Transport Layer Security and its predecessor, Secure Sockets\n                                Layer, are cryptographic protocols that provide\n                                communications security over the Internet. The Transport\n                                Layer Security protocol allows client/server applications to\n                                communicate across a network in a way designed to prevent\n                                eavesdropping and tampering. Several versions of the\n                                protocols are in widespread use in applications such as web\n                                browsing, electronic mail, Internet faxing, and instant\n                                messaging.\nCryptography                    The practice and study of hiding information. Modern\n                                cryptography intersects the disciplines of mathematics,\n                                computer science, and electrical engineering. Applications of\n                                cryptography include Automated Teller Machine cards,\n                                computer passwords, and electronic commerce.\nEnterprise Life Cycle           Integrates the management, business, and engineering life\n                                cycle processes that span the enterprise to align its business\n                                and information technology activities. It generally refers to an\n                                organization\xe2\x80\x99s approach for managing activities and making\n                                decisions during ongoing refreshment of business and\n                                technical practices to support its enterprise mission.\n\n\n\n\n                                                                                         Page 11\n\x0c                          The IRS2GO Smartphone Application Is Secure, but\n                           Development Process Improvements Are Needed\n\n\n\n\n            Term                                           Definition\nFederal Information              Issued by the National Institute of Standards and Technology\nProcessing Standard              to coordinate the requirements and standards for cryptography\nPublication 140-2 Series         modules that include both hardware and software components.\n                                 The cryptographic modules are produced by the private sector\n                                 or open source communities for use by the Federal\n                                 Government and other regulated industries that collect, store,\n                                 transfer, share, and disseminate sensitive but unclassified\n                                 information.\nFederal Information              Standards to be used by all Federal agencies to categorize all\nProcessing Standards             information and information systems collected or maintained\nPublication 199                  by or on behalf of each agency based on the objectives of\n                                 providing appropriate levels of information security according\n                                 to a range of risk levels. The potential impact is HIGH if the\n                                 loss of confidentiality, integrity, or availability could be\n                                 expected to have a severe or catastrophic adverse effect on\n                                 organizational operations, organizational assets, or\n                                 individuals.\nOpen Source Library              Libraries contain code and data that provide services to\n                                 independent programs. This allows the sharing and changing\n                                 of code and data in a modular fashion. Open source describes\n                                 a broad general type of software license that makes source\n                                 code available to the general public with relaxed or\n                                 nonexistent copyright restrictions.\nPersonally Identifiable          Refers to information that can be used to uniquely identify,\nInformation                      contact, or locate a single person or can be used with other\n                                 sources to uniquely identify a single individual.\nPlan of Action and Milestones    The process of planning and identifying the tasks necessary to\n                                 reduce the risks of each weakness found in an information\n                                 technology system. It documents the remedial actions taken to\n                                 address any deficiencies in the security policies and monitors\n                                 the progress of corrective actions.\n\n\n\n\n                                                                                         Page 12\n\x0c                         The IRS2GO Smartphone Application Is Secure, but\n                          Development Process Improvements Are Needed\n\n\n\n\n             Term                                         Definition\nPrivacy Impact Assessment       The IRS conducts a Privacy Impact Assessment on\n                                information systems that collect Personally Identifiable\n                                Information. Performing Privacy Impact Assessments ensures\n                                that the public is aware of the information collected by the IRS\n                                about them, any impact these systems have on personal\n                                privacy is adequately addressed, and the IRS collects enough\n                                personal information to administer its programs and no more.\nSecurity Authorization          A comprehensive assessment of the management, operational,\n                                and technical security controls in an information system, made\n                                in support of security accreditation, to determine the extent to\n                                which the controls are implemented correctly, operating as\n                                intended, and producing the desired outcome with respect to\n                                meeting the requirements for the system.\nSensitive but Unclassified      A designation of information in the Federal Government that,\nInformation                     though unclassified, often requires strict controls over its\n                                distribution.\nVirtual Private Networks        A secure way of connecting to a private Local Area Network\n                                at a remote location, using the Internet or any insecure public\n                                network to transport the network data packets privately, using\n                                encryption.\nWeb Server                      Can refer to either the hardware (the computer) or the software\n                                (the computer application) that helps to deliver content that\n                                can be accessed through the Internet.\n\n\n\n\n                                                                                        Page 13\n\x0c       The IRS2GO Smartphone Application Is Secure, but\n        Development Process Improvements Are Needed\n\n\n\n                                                  Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 14\n\x0cThe IRS2GO Smartphone Application Is Secure, but\n Development Process Improvements Are Needed\n\n\n\n\n                                                   Page 15\n\x0cThe IRS2GO Smartphone Application Is Secure, but\n Development Process Improvements Are Needed\n\n\n\n\n                                                   Page 16\n\x0cThe IRS2GO Smartphone Application Is Secure, but\n Development Process Improvements Are Needed\n\n\n\n\n                                                   Page 17\n\x0c'